Adobe Patches Critical SessionReaper Vulnerability in Commerce and Magento
Adobe has patched a critical vulnerability, dubbed SessionReaper, affecting Adobe Commerce and Magento Open Source platforms. The flaw, reported by researcher blaklis, allows customer account takeover and remote code execution under certain conditions. The vulnerability impacts Adobe Commerce up to 2.4.9-alpha2 and Adobe Commerce B2B up to 1.5.3-alpha2. It also affects Magento Open Source up to 2.4.9-alpha2 and the Custom Attributes Serializable module, versions 0.1.0 to 0.4.0. The SessionReaper flaw enables remote code execution via Magento's REST API using a malicious session and a deserialization bug. An attacker can exploit this vulnerability to take over customer accounts via the Commerce REST API. However, Adobe is not aware of any attacks exploiting this vulnerability in the wild. Sansec advises all merchants to act immediately due to multiple exploit paths for this vulnerability. Adobe has fixed the flaw, identified as CVE-2025-54236, with a CVSS score of 9.1. Merchants should update their platforms to the latest patched versions to ensure customer data and system security.
